Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

It's pretty clear you don't understand what a Windows Service Pack is and is not, despite you calling other people idiots in your ignorance. So allow me to attempt to correct your misconceptions.

Do you know how many security patches are in the average Windows SP?
Yes, all the ones that had previously been released for the given version of Windows up to the time of release of the Service Pack. Service Packs are not, nor ever have been, a sole source for the installation of security updates. They offer a convenient package for the cumulative set of prior released security updates, but they do not patch "new" vulnerabilities that have not been previously patched. That is, all the security patches they include are already available separately on Windows Update. For a period of time, two years for Windows, new security updates are made available for both the SP version and whatever came before it, so your security risk is largely imagined. The only issue here is the two year support period is coming to a close so patches will no longer be offered for the original Windows 7.

I'm sorry but anybody who has waited this long and not applied SP1 is indeed an idiot because every script kiddie on the planet uses those patches and SPs to reverse engineer new exploits specifically targeting fools that don't update the thing.
Dude, script kiddies don't wait for Service Packs. SPs do not patch previously unknown security issues. They merely include all the previously released security patches in a single update (among many other updates). Hackers wanting to reverse engineer a security update can do so as soon as it's released as part of the monthly MSFT patch cycle. Why wait for a Service Pack? And yes, I say hackers. Reverse engineering binaries and creating exploit code is generally outside the realm of script kiddies. If you keep up-to-date with monthly Windows updates you have all the security patches that the system with the Windows SP has. In fact, if the latter isn't keeping up-to-date with monthly patches you have more than the Windows SP system has.

So there really is no excuse......you can take a bare drive and have a fully loaded fully patched Win 7 system in less than an hour and a half
I'm going to tell you something that is going to surprise you. The two year support overlap for Windows patches isn't about you. Microsoft doesn't invest the no doubt significant additional resources of developing multiple versions of a given patch for different Service Pack releases so home users have a nice two years to update. The issue here is corporate customers who have anywhere from 10's to 10's of thousands of computers to update. Service Packs for modern releases of Windows include hundreds to thousands of updates, and quite often, new features. They can and do introduce breaking changes, and so there's no guarantee that software that used to work will continue to after a Service Pack (though in the overwhelming majority of cases it should). Systems need to be tested before deploying a SP, and for larger companies, two years isn't unreasonable. Deploying a major OS update to 10,000 computers in a sane way with minimal breakage is not trivial.

The fact that IE6 is being patched means someone dropped a NS bomb on them (National Security)...

It's being patched because IE6 shipped with Windows XP and MS guarantees they will support the version of IE that was shipped with a given release of Windows for the support lifetime of that Windows release. Windows XP is supported into 2014, so Internet Explorer 6 on Windows XP is as well. This is not a secret.

At least, I assume that is the prevailing attitude on Slashdot these days? Let's see:

IE Patch to Fix 57 Vulnerabilities
No, as per the linked Security Bulletin Advance Notification a total of 57 vulnerabilities are being fixed across Windows, Internet Explorer, Office & the.NET Framework. There are not 57 vulnerabilities exclusively in Internet Explorer as the title suggests. We can likely further expect certain vulnerabilities to only be applicable to certain versions of Internet Explorer once the full details are available.

Microsoft is advising users to stick with other browsers until Tuesday
Source?

...when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled.
No, as noted above, the vulnerabilities are across a variety of products. Further, 13 "patches" (aka. updates or bulletins if you prefer) are being released as multiple vulnerabilities are often patched in a single update. As per the linked bulletin, there are two bulletin's being released for Internet Explorer, which would typically result in two updates for Internet Explorer for a given Windows installation. Of course, there'll be many different updates released for different versions of IE and architectures (ie. 32-bit/64-bit/etc...) but a given Windows installation shouldn't have more than two applicable to it.

No word on whether IE 10 will be included as part of the 57 updates.
Apart from the explicit reference to Internet Explorer 10 being affected by at least some of these vulnerabilities in the linked MS Advance Notification? Have you tried reading the very articles you post? I'm reliably informed it helps comprehension.

Are the editors trying to set a new record for inaccuracies within a small paragraph of text?

I'm not disputing your central point but there a few technical reasons that account in part for the much greater usage of space on modern Windows operating systems relative to Linux distributions. They may interest some, and are worth keeping in mind:

WoW64 Compatibility Layer
Specific to 64-bit installs is that 32-bit binaries are also installed for the vast majority of the operating system. This is due to the WoW64 compatibility layer that allows for (generally) seamless usage of 32-bit software on a 64-bit Windows operating system. Effectively, a full 32-bit copy of all the OS libraries and binaries are installed alongside the 64-bit native copies. During usage of the operating system you're generally running 64-bit native code with some exceptions (e.g. Internet Explorer is by default 32-bit due to the plug-in problem), however, when you run a 32-bit application it will be able to pull in all the 32-bit libraries it needs from the Windows install. On modern Windows Server systems you can actually outright remove the WoW64 compatibility layer, removing all those extra binaries, and in the process losing the ability to run 32-bit applications. This isn't an option on client versions of Windows (although it would be nice). Obviously, what with the overwhelming majority of Linux software being open-source, the need to include 32-bit libraries is much diminished due to most software being ported to 64-bit with relative ease and native 64-bit packages being offered. At any rate, the WoW64 compatibility layer will easily add several gigabytes to the install.

Windows Servicing
Another key distinction with Linux systems is how the system is service (ie. OS updates are applied). When you install an update to Windows via Windows or Microsoft update an update package is downloaded and installed which will include any number of updated binaries. Crucially, the original binaries are not removed but kept in a cache in case they are needed later. This is important in the event an update is removed in future, as it allows Windows to automatically downgrade the affected binaries to the "next best" available binaries available in the servicing cache (which might be the originally released versions, or those from an earlier update). Obviously, this results in Windows installations growing larger over time as they accumulate many additional versions of binaries as they are distributed via Windows or Automatic updates. The effect is doubled in the case of 64-bit installations as the update will typically include both 32-bit and 64-bit binaries in the case that WoW64 includes 32-bit versions of the targeted binaries. For the curious, you can find all the distinct packages installed on a Windows system under C:\Windows\WinSxS. The directory will typically be huge both in size and number of files/folders. Almost everything in the C:\Windows folder and various other parts of the system are in fact just hard links to files in this folder. When an update is installed (or removed), these hard links are updated to point to the appropriate binary files in the associated packages in the cache.

At any rate, these two aspects of Windows alone can add a substantial amount of extra data to the installation. That being said, storage is cheap, so it generally outweighs the negatives, but with SSDs being smaller capacity than most traditional HDDs, you can in some cases feel the pressure!

How sad and cynical do you have to be to seriously believe that all the time and money Gates has spent, especially post-Microsoft, is some sort of elaborate ploy to make people think better of him? I'm sure he's under no illusion that he can convince certain elements of the Slashdot community, but really, that's far more a reflection on those people than it is him.

Your comment has truly depressed me. Doubly so that it got modded anything other than flamebait.

Let me re-phrase on your behalf:
"What kind of company wouldn't exploit every loophole or legal avenue available to pay the absolute minimum amount of taxes in the country they do business in and reap the benefits of? Hey, provided it's not actually illegal, who cares if it's wholly unethical?"

At some level, it's a frankly depressing picture of humanity that we can so easily rationalise away doing pretty much anything in the name of material pursuit, so long as it doesn't outright violate national laws. What's worse, is that I hate the fact that governments are seemingly enacting ever more legislation, ever more restricting our rights, and yet, it seems that when it comes to things like tax law, the reason is because if they don't, people will abuse it unless it is absolutely watertight. Hell, people admit they are looking for and exploiting the system as if it's a badge of honour, as if they'd be somehow morally liable if they didn't abuse the system.

You can code multithreaded applications with Visual C++ Express, and you can develop 64-bit applications with Visual C++ Express. So, you're a troll, ignorant, or both. You are correct that profiling requires a (seriously expensive) Visual Studio edition, but profiling is an advanced compiler feature, not a "I need this to develop useful stuff" feature. I do think it would be nice if it weren't locked away in an expensive VS edition, but, it's hardly something you need to code your apps.

Um, Microsoft makes its C/C++ compiler available for free, along with the Windows SDK. You're probably thinking of Visual Studio, but Microsoft makes a basic version for C/C++ free as Visual C++ Express; effectively, a basic Visual Studio edition purely for C/C++ coding without the enterprise features. If you need those features, you're probably doing more than hobbyist development/basic development.

This does actually make some level of sense, the reason being, Microsoft has to pay to license the required codecs for playback of DVDs, Blu-rays, HD-DVDs, etc... when they bundle them with Windows (think H264, for example). This does result in a price increase to the cost of every Windows license. Media playback is one of the very few areas of the Windows operating system where Microsoft has to pay a per-license additional cost for the inclusion of this extra code (I can't think of any others, but I'm sure other Slashdotters may have insight here).

So, why should everyone have to pay the extra fee for these codecs if they have no interest in using them? I can't even remember the last time I watched a physical Blu-ray or DVD on a computer, and when I do watch media, I do it through VLC Media Player. And, after all, this isn't a DRM restriction, go and install VLC Media Player, or ffdshow, or whatever you please, and you can get many/all these codecs via 3rd-party for free. So, honestly, who gives a damn?

Because FLAC is very poorly supported among both portable media devices and media center devices? Further, the difference in actual perceptible quality between a high quality mp3/ogg/wma/whatever encoding and a FLAC encoding is between negligible and non-existent, negating pretty much any benefit of FLAC. Media archival is one area where FLAC is an obvious choice for, but bit-for-bit storage is generally something only a subset of music enthusiasts care about, and so unless constantly transcoding FLAC into a format that your chosen non-PC device supports is your idea of a good time, then it's just not worth the effort...

Microsoft created a liberal dynamic library search path that allows (or even encourages) applications to not fully specify DLL locations. Now, after the fact, they publish this security statement saying not to use the dynamic library searching they documented previously.

So basically, your suggestion is to design an OS that ensures that it is secure by taking away API calls that could be misused in a way that compromises security? By your own admission, it is a documented specification, and it is behaving exactly as it is intended to do so. It isn't a "bug" in the API, it's misuse by various developers. However, Microsoft is at fault for how developers (its own or 3rd-party) misuse an API call that is fully documented and behaving exactly as intended? This makes absolute, perfect sense.

It is of course Microsoft's fault. They didn't consider security at all when loading DLLs, and now they are blaming applications that implemented the documented specification.

Yes, they are blaming applications that have incorrectly used the documented specification. And, they have provided the capability to control remote loading of DLLs through a patch that can be targetted at individual applications or the entire OS. What more can reasonably be done?

The bottom line is that Windows was never designed to be secure, it was designed to have the most functionality, and trying to patch every hole now is almost impossible. Generally, when code reaches this level of complexity and brittleness, it is often the best course to start all over.

And this is factually wrong. Windows NT (as opposed to Windows) was designed from Day 1 to be secure. You can argue whether they succeeded in developing a secure OS, and that might be a far more interesting debate, but to argue that it was never designed to be secure is incorrect. This is a fact of historical record. I'd argue that earlier versions of Windows NT were significantly flawed from a security perspective while modern versions (Vista and newer) are significantly improved, but that's another debate.

Essentially, your entire argument is that it is Microsoft's fault for providing a documented API that can be misused. I'll grant the defaults could have been chosen better, but competent programmers need to be aware of these issues. I'm mildly surprised it's getting the coverage it is, as this isn't some brand new attack; this issue has been known about for some time and not gotten a lot of coverage because it simply isn't that big a deal and is not a flaw in the underlying OS. For example, this blog post from early 2008 covers the issue (and was linked in some more recent blog posts):
DLL Preloading Attacks

OK, there's a fix for that, but only if you can call the awful kludge that is WinSxS a "fix".

I always thought that WinSxS was quite an elegant fix to a difficult problem. Put it this way, I still have nightmares about DLL Hell from the bad old days, but have yet to encounter a problem due to WinSxS. The closest I've come is one or two applications making assumptions about dependencies (i.e. not bundling the required installers and not failing gracefully). Have you had issues with WinSxS?

"How do we empower top scientists working in industry to lead science-minded positive change within their organizations?... How do companies who seek genuine dialogue with this community engage?"

The answer is:
Said "top scientists working in industry" are welcome to do all of the above, and should be encouraged to do so in fact, but the determining factor of whether their work is published should be one purely of merit; not payment for publicity or any other form of bribe that results in direct gain to the publisher.

Wait, what? No Windows Service Pack has ever forced an update of Internet Explorer; maybe NT 4.0 did as I can't remember that far back, but definitely nothing since Windows 2000 onwards. Windows XP SP3 will install fine with IE 6.0 (XP bundled version). They'd be breaking their own support policy by even doing so, as Microsoft commits to supporting the version of IE that is shipped with every Windows version for the lifetime of support for that OS release. Seriously, where do you trolls get your garbage? You're not picking exceptions, you're claiming shit that has never happened.